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Abstract 

We present an encoding of Zermelo-Fraenkcl set theory into many- 
sorted first-order logic, the input language of state-of-the-art SMT solvers 
This translation is the main component of a back-end prover based on 
SMT solvers in the TLA + Proof System. 


1 Introduction 

The specification language TLA + [11] combines a variant of Zermelo-Fraenkel 
(zf) set theory for the description of the data manipulated by algorithms, 
and linear-time temporal logic for the specification of their behavior. The 
TLA + Proof System (tlaps) provides support for mechanized reasoning 
about TLA -1 " specifications; it integrates backends for making automatic 
reasoners available to users of tlaps. The work reported here is moti¬ 
vated by the development of an SMT backend through which users of tlaps 
interact with off-the-shelf SMT (satisfiability modulo theories) solvers for 
non-temporal reasoning in the set theory of TLA + . 

More specifically, tlaps is built around a so-called Proof Manager that 
interprets the proofs occurring in the TLA + module provided by the user, 
generates corresponding proof obligations, and passes them to external au¬ 
tomated verifiers, which are the back-end provers of tlaps. 

Previous to this work, three back-end provers with different capabilities 
were available: Isabelle/TLA + , a faithful encoding of TLA + set theory 
in the Isabelle proof assistant, which provides automated proof methods 
based on first-order reasoning and rewriting; Zenon [5], a tableau prover for 
first-order logic with equality that includes extensions for reasoning about 
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sets and functions; and a backend called SimpleArithmetic, now deprecated, 
implementing a decision procedure for Presburger arithmetic. 1 

The Isabelle and Zenon backends have very limited support for arith¬ 
metic reasoning, while SimpleArithmetic handles only pure arithmetic for¬ 
mulas, requiring the user to manually decompose the proofs until the corre¬ 
sponding proof obligations fall within the respective fragments. Beyond its 
integration as a semi-automatic backend, Isabelle/TLA + serves as the most 
trusted back-end prover. Accordingly, it is also intended for certifying proof 
scripts produced by other back-end provers. When possible, backends are 
expected to produce a detailed proof that can be checked by Isabelle/TLA + . 
Currently, only the Zenon backend has an option for exporting proofs that 
can be certified in this way. 

In this paper we describe the foundations of a back-end prover based 
on SMT solvers for non-temporal proof obligations arising in TLAPS . 2 When 
verifying distributed algorithms, proof obligations are usually “shallow”, but 
they still require many details to be checked: interactive proofs can become 
quite large without powerful automated back-end provers that can cope with 
a significant fragment of the language. TLA + heavily relies on modeling 
data using sets and functions. Tuples and records, which occur very often in 
TLA + specifications, are defined as functions. Assertions mixing first-order 
logic (fol) with sets, functions, and arithmetic expressions arise frequently 
in safety proofs of TLA + specifications. Accordingly, we do not aim at 
proofs of deep theorems of mathematical set theory but at good automation 
for obligations mixing elementary set expressions, functions, records, and 
(linear) integer arithmetic, and our main focus is on SMT solvers, although 
we have also used the techniques described here with fol provers. The de- 
facto standard input language for SMT solvers is smt-lib [3], which is based 
on multi-sorted fol (ms-fol [12]). 

In Section 3 we present the translation from TLA + to ms-fol. Al¬ 
though some of the encoding techniques that we use can be found in similar 
tools for other set-theoretic languages, the particularities of TLA + make 
the translation non-trivial: 

• Since TLA + is untyped, “silly” expressions such as 3 U true are legal; 

1 The backends available prior to the work presented here also included a generic trans¬ 
lation to the input language of SMT solvers that focused on quantifier-free formulas of 
linear arithmetic. This SMT backend was occasionally useful because the other backends 
perform quite poorly on obligations involving arithmetic reasoning. However, it covered 
only a small subset of TLA + . 

2 Non-temporal reasoning is enough for proving safety properties and makes up the vast 
majority of proof steps in liveness proofs. 
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they denote some (unspecified) value. TLA + does not even distinguish 
between Boolean and non-Boolean expressions, hence Boolean values 
can be stored in data structures just like any other values. 

• Functions, which are defined axiomatically, are total and have a do¬ 
main. This means that a function applied to an element of its domain 
has the expected value but for any other argument, the value of the 
function application is unspecified. Similarly, the behavior of arith¬ 
metic operators is specified only for integer arguments. 

• TLA + is equipped with a deterministic choice operator (Hilbert’s e 
operator), which has to be soundly encoded. 

The first item is particularly challenging for our objectives: whereas an 
untyped language is very expressive and flexible for writing specifications, 
standard MS-FOL reasoners rely on types for good automation. In order to 
support TLA + expressions in a many-sorted environment, we use only one 
sort to encode all TLA + expressions. We therefore call this translation the 
“untyped” encoding of TLA + , where type inference of sorted expressions 
such as arithmetic is essentially delegated to the solvers. In the following 
we will use the terms type and sort interchangeably. 

Section 2 describes the underlying logic of TLA + , Section 4 provides 
experimental results, and Section 5 concludes and gives directions for future 
work. 

Related work In previous publications [14, 15], we presented primitive 
encodings of TLA + into smt-lib, where CHOOSE expressions were not fully 
supported and Boolification was not made explicit in the translation. As a 
preprocessing step, we developed a type system with dependent and refine¬ 
ment types for TLA + [16]: an algorithm takes a TLA + proof obligation and 
annotates it with types, which are then used to simplify our encoding [15]. 

Some of the encoding techniques presented in Section 3 were already de¬ 
fined before or are simply folklore, but to our knowledge they have not been 
combined and studied in this way. Moreover, the idiosyncrasies of TLA + 
render their applicability non-trivial. For instance, TLA + ’s axiomatized 
functions with domains, including tuples and records, are deeply rooted in 
the language. 

The Rodin tool set supporting Event.-B is based on two translations. 
The SMT solvers plugin [6] directly encodes simple sets (ie., excluding set 
of sets) as polymorphic A-expressions, which are non-standard and are only 
handled by the parser of the veriT SMT solver. The ppTrans plugin [10] 
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generates different SMT sorts for each basic set and every combination of sets 
(power sets or cartesian products) found in the proof obligation. Similarly, 
Mentre et al. [13] rely on Why3 as an interface to discharge Atelier-B proof 
obligations using different SMT solvers, with sets having a polymorphic type. 

Recently, Delahaye et al. [7] proposed a different approach to reason 
about set theory, instead of a direct encoding into fol. The theory of de¬ 
duction modulo is an extension of predicate calculus that includes rewriting 
of terms and of propositions, and which is well suited for proof search in ax¬ 
iomatic theories, as it turns axioms into rewrite rules. For example, Peano 
arithmetic or Zermelo set theory can be encoded without axioms, turning 
the proof search based on axioms into computations. Zenon Modulo [7, 9] 
implements deduction modulo within a first-order theorem prover. 

mptp [17] translates Mizar to tptp/fof. The Mizar language provides 
second-order predicate variables and abstract terms derived from replace¬ 
ment and comprehension, such as the set 

{n — m where m, n is Integer : n < m}. 

During preprocessing, MPTP replaces them by fresh symbols, with their 
definitions at the top level. Similar to our abstraction technique (cf. Sec¬ 
tion 3.3.3), it is comparable to Skolemization. In contrast to our intended 
application, mptp is mainly targeted at mathematical reasoning. 

2 TLA + set theory 

In this section we describe a fragment of the language of proof obligations 
generated by the TLA + Proof System that is relevant for this paper. This 
language is a variant of fol with equality, extended in particular by syntax 
for set, function and arithmetic expressions, and a construct for a determin¬ 
istic choice operator. For a complete presentation of the TLA + language 
see [11, Sec. 16]. 

We assume given two non-empty, infinite, and disjoint collections V of 
variable symbols, and O of operator symbols, 3 each equipped with its arity. 
The only syntactical category in the language is the expression. For presen¬ 
tational purposes we distinguish between terms, formulas, set objects, etc. 

3 TLA + operator symbols correspond to the standard function and predicate symbols 
of first-order logic but we reserve the term “function” for TLA + functional values. 
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An expression e is inductively defined by the following grammar: 


e ::= v \ w(e, .. ., e) (terms) 

| false |e=>e|Vv: e|e = e|e£e (formulas) 

I {} I {e, e} | SUBSET S | UNION S 

| {v G e : e} | {e : v G e} (sets) 

| CHOOSE x : e (choice) 

| e[e] | domain e | [w € e i-A e] | [e — > e] (functions) 

| 0 | 1 | 2 | ... | Int | Nat \ —e\e + e\ e<e\e.. e (arithmetic) 

| if e then e else e (conditional) 


A term is a variable symbol v in V or an application of an operator 
symbol w in O to expressions. Formulas are built from false, implica¬ 
tion and universal quantification, and from the binary operators = and £. 
From these formulas, we can define the familiar constant true, the unary -> 
and the binary connectives A, V, <U>, and the existential quantifier 3. Also, 
Vx € S: e is defined as Vx: x G S => e. In standard set theory, sets are 
constructed from axioms that state their existence. TLA + has explicit syn¬ 
tax for set objects (empty set, pairing, power set, generalized union, and 
two forms of set comprehension derived from the standard axiom schema 
of replacement), whose semantics is defined axiomatically. Since TLA + is 
a set theoretic language, every expression - including formulas, functions, 
numbers, etc. - denotes a set. 

Another primitive construct of TLA + is Hilbert’s choice operator e, 
written CHOOSE x: P(x), that denotes an arbitrary but fixed value x such 
that P(x) is true, provided that such a value exists. Otherwise the value of 
CHOOSE x: P(x) is arbitrary. The semantics of CHOOSE is expressed by the 
following axiom schemas. The first one gives an alternative way of defining 
quantifiers, and the second one expresses that CHOOSE is deterministic. 

(3x: P(x)) P (choose x: P{x)) (1) 

(Var: P(x) Q{x)) => (CHOOSE x : P(x)) = (CHOOSE x : Q{x)) (2) 

From axiom (2) note that if there is no value satisfying some predicate P, i.e., 
\/x: P(x) FALSE holds, then (CHOOSE x: P(x)) = (CHOOSE x: FALSE). 
Consequently, the expression CHOOSE x: false and all its equivalent forms 
represent a unique value. 

Certain TLA + values are functions. Unlike standard ZF set theory, 
TLA + functions are not defined as sets of pairs, but TLA + provides prim¬ 
itive syntax associated with functions. The expression f[e] denotes the re¬ 
sult of applying function / to e, domain / denotes the domain of /, and 
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[x £ S i-A e] denotes the function g with domain S such that g[x\ = e, for 
any x £ S. For x ^ S', the value of g[x\ is unspecified. A TLA + value 
/ is a function if and only if it satisfies the predicate IsAFcn(f) defined 
as f = [x £ domain / i—^ f[x}\- The fundamental law governing TLA + 
functions is 

/ = [x £ S ha e] 4=k IsAFcn(f) A domain / = S AMx £ S: f[x} = e (3) 

Natural numbers 0,1,2,... are primitive symbols of TLA + . Standard 
modules of TLA + define Int to denote the set of integer numbers, the op¬ 
erators + and < are interpreted in the standard way when their arguments 
are integers, and the interval a.. b is defined as {n £ Int : a < n An < b}. 

3 Untyped encoding of TLA + into MS-FOL 

We define a translation from TLA + to multi-sorted first-order logic. Given 
a TLA + proof obligation, the system generates an equi-satisfiable formula 
whose proof can be attempted with automatic theorem provers, including 
SMT solvers. 

The translation proceeds in two main steps. First, a preprocessing 
and optimization phase applies satisfiability-preserving transformations to 
a given TLA + formula in order to remove expressions that the target solver 
cannot handle. The result is an intermediate basic TLA + formula, i.e., a 
TLA + expressions that has an obvious counterpart in the smt-lib/auflia 
language. A basic TLA + formula is composed only of TLA + terms and 
formulas, including equality and set membership relations, plus primitive 
arithmetic operators and if-then-else expressions. All expressions having 
a truth value are mapped to the sort Bool, and we declare a new sort U (for 
TLA + universe) for all non-Boolean expressions, including sets, functions, 
and numbers. Thus, we call this the untyped encoding. 

3.1 Boolification 

Since TLA + has no syntactic distinction between Boolean and non-Boolean 
expressions, we first need to determine which expressions are used as propo¬ 
sitions. We adopt the liberal interpretation of TLA + Boolean expressions 
where any expression with a top-level connective among logical operators, 
=, and £ has a Boolean value. 4 Moreover, the result of any expression with a 

4 The standard semantics of TLA + offers three alternatives to interpret expressions [11, 
Sec. 16.1.3]. In the liberal interpretation, an expression like 42 => {} always has a truth 
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top-level logical connective agrees with the result of the expression obtained 
by replacing every argument e of that connective with (e = true). 

For example, consider the expression Vx: ( _i_, x) = x, which is not 
a theorem. Indeed, x need not be Boolean, whereas ~^—>x is necessarily 
Boolean, hence we may not conclude that the expression is valid. However, 
Vx: (—i—ix) x is valid because it is interpreted as Vx: ( _,_, (x = true)) 

(x = true). Observe that the value of x = true is a Boolean for any x, 
although the value is unspecified if x is non-Boolean. 

In order to identify the expressions used as propositions we use a sim¬ 
ple algorithm that recursively traverses an expression searching for sub¬ 
expressions that should be treated as formulas. Expressions e that are used 
as Booleans, i.e., that could equivalently be replaced by e = true, are 
marked as e b , whose definition can be thought of as e b = e = TRUE. This 
only applies if e is a term, a function application, or a CHOOSE expression. 
If an expression which is known to be non-Boolean by its syntax, such as a 
set or a function, is attempted to be Boolified, meaning that a formula is 
expected in its place, the algorithm aborts with a “type” error. In smt-lib 
we encode x h as boolify(x), with boolify : U —> Bool. The above examples 
are translated as Vx u : (-i-iboolify(x)) = x and Vx B ° o1 : (-i-ix) <U> x and their 
(in)validity becomes evident. 

3.2 Direct embedding 

Our encoding maps in an almost verbatim way Boolified TLA + expressions 
to corresponding formulas in the target language, without changing substan¬ 
tially the structure of the original formula. The goal is to encode TLA + ex¬ 
pressions using essentially first-order logic and uninterpreted functions. For 
first-order TLA + expressions it suffices to apply a shallow embedding into 
the target language. Nonlogical TLA + operators are declared as function or 
predicate symbols with U-sorted arguments. For example, the operators U 
and € are encoded in SMT-LIB as the functions union : U X U —> U and 
in : U x U -> Bool. 

The semantics of standard TLA + operators are defined axiomatically. 
The only primitive set-theoretical operator is €, so the function in will re¬ 
value, but it is not specified if that value is true or false. In the conservative and moderate 
interpretations, the value of 42 =*- {} is completely unspecified. Only in the moderate and 
liberal interpretation, the expression FALSE =>■ {} has a Boolean value, and that value is 
true. In the liberal interpretation, all the ordinary laws of logic, such as commutativity of 
A, are valid, even for non-Boolean arguments. 


7 



main unspecified, while we can express in ms-fol the axiom for U as 

Vx u , S^, T u . in(x, union)#, T)) in(x, S) V in(x, T) (4) 

Note that sets are just values in the universe of discourse (represented by 
the sort U in the sorted translation), and it is therefore possible to represent 
sets of sets and to quantify over sets. The construct for set enumeration 
{ei,...,e n }, with n > 0, is an n-ary expression, so we declare separate 
uninterpreted functions for the arities that occur in the proof obligation, 
together with the corresponding axioms. 

In order to reason about the theory of arithmetic, an automated prover 
requires type information, either generated internally, or provided explicitly 
in the input language. The axioms that we have presented so far rely on FOL 
over uninterpreted function symbols over the single sort U. For arithmetic 
reasoning, we want to benefit from the prover’s native capabilities. We 
declare an unspecified, injective function i2u: Int —> U that embeds built-in 
integers into the sort U. The typical injectivity axiom 

Vm lnt , n lnt : i2u(m) = i2u(n) => m = n 

generates instantiation patterns for every pair of occurrences of i2u. Noting 
that i2u is injective iff it has a partial inverse, we use instead the axiom 
Vn lnt : u2i(i2u(n)) = n, which generates a linear number of i2u(n) instances, 
where the inverse u2i : U — > Int is unspecified. Integer literals k are encoded 
as \2u(k). 

For example, the formula 3 £ Int is translated as in(i2u(3),tla_Int) and 
we have to add to the translation the axiom for Int: 

Vx u : in(x, tlajnt) 3n lnt : x = i2u(n) (5) 

Observe that this axiom introduces two quantifiers to the translation. We 
can avoid the universal quantifier by encoding expressions of the form x £ Int 
directly into 3n lnt : x = i2u(n), but the provers would still have to deal with 
the existential quantifier. 

Arithmetic operators over TLA + values are defined homomorphically 
over the image of i2u by axioms such as 

Vm lnt , n lnt : plus(i2u(ro), i2u(n)) = i2u(m + n) (6) 

where + denotes the built-in addition over integers. For other arithmetic 
operators we define analogous axioms. 



In all these cases, type inference is, in some sense, delegated to the back¬ 
end prover. The link between built-in operations and their TLA + counter¬ 
parts is effectively defined only for values in the range of the function i2u. 
This approach can be extended to other useful theories that are natively 
supported, such as arrays or algebraic datatypes. 

3.3 Preprocessing and optimizations 

The above encoding has two limitations. First, some TLA + expressions 
cannot be written in first-order logic. Namely, they are {x £ S : P}, 
{e : x € S}, CHOOSE x: P, and [x G S e->- e], where the predicate P and 
the expression e, both of which may have x as free variable, become second- 
order variables when quantified. Secondly, the above encoding does not 
perform and scale well in practice. State-of-the-art SMT solvers provide 
instantiation patterns to control the potential explosion in the number of 
ground terms generated for instantiating quantified variables, but we have 
not been able to come up with patterns to attach to the axiom formulas that 
would significantly improve the performance, even for simple theorems. 

What we do instead is to perform several transformations to the TLA + 
proof obligation to obtain an equi-satisfiable formula which can be straight¬ 
forwardly passed to the solvers using the above encoding. 

3.3.1 Normalization 

We define a rewriting process that systematically expands definitions of 
non-basic operators. Instead of letting the solver find instances of the back¬ 
ground axioms, it applies the “obvious” instances of those axioms during the 
translation. In most cases, we can eliminate all non-basic operators. For 
instance, the ZF axiom for the UNION operator yields the rewriting rule 

x <G UNION S —>• 3T £ S: x € T. 

All defined rewriting rules apply equivalence-preserving transformations. 
We ensure soundness by proving in Isabelle/TLA + that all rewriting rules 
correspond to theorems of TLA + . The theorem corresponding to a rule 
e —?• / is Vx : e f when e and / are Boolean expressions and Vx : e = f 
otherwise, where x denotes all free variables in the rule. Most of these 
theorems exist already in the standard library of Isabelle/TLA + ’s library. 

The standard extensionality axiom for sets is unwieldy because it in¬ 
troduces an unbounded quantifier, which can be instantiated by any value 
of sort U. We therefore decided not to include it in the default background 
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theory. Instead, we instantiate equality expressions x = y whenever possible 
with the extensionality property corresponding to x or y. In these cases, we 
say that we expand equality. For each set expression T we derive rewriting 
rules for equations x = T and T = x. For instance, the rule 

x = {z £ S : P} —> \/z: z £ x AA z £ S A P 

is derived from set extensionality and the ZF axiom of bounded set compre¬ 
hension. 

By not including general extensionality, the translation becomes incom¬ 
plete. Even if we assume that the automated theorem provers are semanti¬ 
cally complete, it may happen that the translation of a semantically valid 
TLA + formula becomes invalid when encoded. In these cases, the user will 
need to explicitly add the axiom to the TLA + proof. 

We also include the rule \/z:z£xAAz£y — > x = y for the con¬ 
traction of set extensionality, which we apply with higher priority than the 
expansion rules. All above rules of the form <p —> ip define a term rewriting 
system [2] noted (TLA + ,—>), where —> is a binary relation over well- 
formed TLA + expressions. 

Theorem 1. (TLA + , —») terminates and is confluent. 

Proof (idea). Termination is proved by embedding (TLA + ,—>) into an¬ 
other reduction system that is known to terminate, typically (N, >) [2]. The 
embedding is through an ad-hoc monotone mapping fi such that /r(a) > / x(b ) 
for every rule a —> b. It is defined in such a way that every rule in¬ 
stance strictly decreases the number of non-basic and complex expressions 
such as quantifiers or arithmetic expressions. For confluence, by Newman’s 
lemma [2], it suffices to prove that all critical pairs are joinable. Thus, we 
just need to find the critical pairs (ei, efl between all combinations of rewrit¬ 
ing rules, and then prove that e\ and e 2 are joinable for each such pair. In 
particular, the contraction rule is necessary to obtain a strong normalizing 
system. □ 

3.3.2 Functions 

A TLA + function [x £ S e(x)\ is akin to a “bounded” A-abstraction: 
the function application [ieS 4 e(x)][y] reduces to the expected value 
e(y) if the argument y is an element of S , as stated by the axiom (3). As a 
consequence, e.g., the formula 

/ = [x £ {1,2,3} 1 —> x * x\ => / [0] < / [0] -F 1 , 
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although syntactically well-formed, should not be provable. Indeed, since 0 
is not in the domain of/, we cannot even deduce that /[0] is an integer. 

We represent the application of an expression / to another expression x 
by two distinct first-order terms depending on whether the domain condition 
x G DOMAIN / holds or not: we introduce binary operators a and uj with 
conditional definitions 

x G DOMAIN / =$■ a(f, x) = f[x] and x ^ DOMAIN / =4> i j(/, x) = f[x\. 

From these definitions, we can derive the theorem 

f[x\ = IF X G DOMAIN / THEN a(f, x) ELSE Ul(f,x) (7) 

that gives a new defining equation for function application. In this way, 
functions are just expressions that are conditionally related to their argu¬ 
ment by a and uj. 

The expression / [0] in the above example is encoded as 

IF 0 € DOMAIN / THEN a(f, 0) ELSE Uj(f , 0). 

The solver would have to use the hypothesis to deduce that domain / = 
{1,2,3}, reducing the condition 0 G domain / to false. The conclusion 
can then be simplified to w(/,0) < uj(f, 0) + 1, which cannot be proved, as 
expected. Another example is f[x] = f[y] in a context where x = y holds: 
the formula is valid irrespective of whether the domain conditions hold or 
not. 

Whenever possible, we try to avoid the encoding of function application 
as in the definition (7). From (3) and (7), we deduce the rewriting rule: 

[i £ e][a ] —* IF a € S' then e[x -f- a] else uj([x £ S^e], a) (8) 

where e[x G- a] denotes e with a substituted for x. These rules replace 
two non-basic operators (function application and the function expression) 
in the left-hand side by only one non-basic operator in the right-hand side 
(the first argument of uj). 

The expression [x G S i—)• e] cannot be mapped directly to a first-order 
expression. Even in sorted languages like ms-fol, functions have no notion 
of function domain other than the types of their arguments. Explicit func¬ 
tions will be treated by the abstraction method below. What we can do 
for the moment is to expand equalities involving functions. The following 
rewriting rule derived from axiom (3) replaces the function construct by a 
formula containing only basic operators: 

f = [x G S i— >- e] —> IsAFcn(f) A domain f = S A\/x G S : a(f , x) = e 
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Observe that we have simplified f[x] by a(f,x), because x € domain /. 
This mechanism summarizes the essence of the abstraction method to deal 
with non-basic operators described in the next subsection. 

In order to prove that two functions are equal, we need to add a back¬ 
ground axiom that expresses the extensionality property for functions: 

V/,<?: A IsAFcn(f) A IsAFcn(g) 

A DOMAIN / = DOMAIN g 
A Vi £ DOMAIN g: a(f , x ) = a(g, x) 

=>f = 9 


Again, note that f[x\ and g[x\ were simplified using a. Unlike set exten¬ 
sionality, this formula is guarded by IsAFcn, avoiding the instantiation of 
expressions that are not considered functions. To prove that domain / = 
domain g , we still need to add to the translation the set extensionality 
axiom, which we abstain from. Instead, reasoning about the equality of 
domains can be solved with an instance of set extensionality for domain 
expressions only. 

TLA + defines n-tuples as functions with domain 1 ..n and records as 
functions whose domain is a finite set of strings. By treating them as non- 
basic expressions, we just need to add suitable rewriting rules to (TLA + , —►) 
in particular those for extensionality expansion. 

3.3.3 Abstraction 

Applying rewriting rules does not always suffice for obtaining formulas in 
basic normal form. As a toy example, consider the valid proof obligation 
Vx: P{{x} U {x}) P({x}). The impediment is that the non-basic sub¬ 

expressions {x} U {x} and {x} do not occur in the form expected by the 
left-hand sides of rewriting rules. They must first be transformed into a 
form suitable for rewriting. 

We call the technique described here abstraction of non-basic expressions. 
After applying rewriting, some non-basic expression ip may remain in the 
proof obligation. For every occurrence of ip, we introduce in its place a fresh 
term y, and add the formula y = ip as an assumption in the appropriate 
context. The new term acts as an abbreviation for the non-basic expression, 
and the equality acts as its definition, paving the way for a transformation 
to a basic expression using the above rewriting rules. Non-basic expressions 
occurring more than once are replaced by the same fresh symbol. 

In our example the expressions {x} U {x} and {x} are replaced by fresh 
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constant symbols k\{x) and £ 2 (x). Then, the abstracted formula is 


A My\ : £ 1 ( 2 / 1 ) = { 2 / 1 } U {yi} 

A Vy 2 : ^ 2 ( 2 / 2 ) = { 2 / 2 } 

=4> Vx: P(ki(x)) ^ P(£ 2 (x)). 

which is now in a form where it is possible to apply the instances of exten- 
sionality to the equalities in the newly introduced definitions. In order to 
preserve satisfiability of the proof obligation, we have to add as hypotheses 
instances of extensionality contraction for every pair of definitions where 
extensionality expansion was applied. The final equi-satisfiable formula in 
basic normal form is 

A Vz, y : z G k\(y) z = y V z = y 

A Vz, y: z <E k 2 {y) z = y 

A V 2 / 1 , 2 / 2 : (Vz: z <E £’ 1 ( 2 / 1 ) z € £ 2 ( 2 / 2 )) => £i(?/i) = £ 2 ( 2 / 2 ) 

=4> Vx: P(£i(x)) <tA P(£ 2 (x)). 

3.3.4 Eliminating definitions 

To improve the encoding, we introduce a procedure that eliminates defini¬ 
tions, having the opposite effect of the abstraction method where definitions 
are introduced and afterwards expanded to basic expressions. This process 
collects definitions of the form x = i/i, and then simply substitutes every 
occurrence of the term x by the non-basic expression ijj in the rest of the 
context, by applying the equality oriented as the rewriting rule x —> i/). The 
definitions we want to eliminate typically occur in the original proof obli¬ 
gation, meaning that they are not artificially introduced. In the following 
subsection, we will explain the interplay between normalization, definition 
abstraction, and definition elimination. 

This transformation produces expressions that can eventually be normal¬ 
ized to their basic form. The restriction that x does not occur in if; avoids 
rewriting loops and ensures termination of this process. For instance, the 
two equations x = y and y = x + 1 will be transformed into y = y + 1, 
which cannot further be rewritten. 5 After applying the substitution, we can 
safely discard from the resulting formula the definition x = 1 jj, when x is a 
variable. However, we must keep the definition if x is an applied operator. 
Suppose we discard an assumption domain f = S, where the conclusion 

5 The problem of efficiently eliminating definitions from propositional formulas is a 
major open question in the field of proof complexity. The definition-elimination procedure 
can result in an exponential increase in the size of the formula when applied naively [1]. 
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is / G [S —> T], Only after applying the rewriting rules, the conclusion will 
be expanded to an expression containing domain /, but the discarded fact 
required to simplify it to S will be missing. 

3.3.5 Preprocessing algorithm 

Now we can put together the encoding techniques described above in a single 
algorithm that we call Preprocess. 

Preprocess(4 >) = 4> Reduce(4>) = cj) 

> Boolify > Fix (Eliminate o Rewrite) 

> Fix Reduce > Fix (Abstract o Rewrite) 

Here, Fix A means that step A is executed until reaching a fixed point, the 
combinator >, used to chain actions on a formula (f> , is defined as cf»f = /(</>), 
and function composition o is defined as / o g = A 4>. g(f(4>)). 

The Preprocess algorithm takes a TLA + formula </>, Boolifies it and 
then applies repeatedly the step called Reduce , until reaching a fixed point, 
to transform the formula into a basic normal form. Only then the resulting 
formula is ready to be translated to the target language using the embedding 
of Section 3.2. In turn, Reduce first eliminates the definitions in the given 
formula (Sect. 3.3.4), applies the rewriting rules (Sect. 3.3.1) repeatedly, 
and then applies abstraction (Sect. 3.3.3) followed by rewriting repeatedly. 
Observe that the elimination step is in some sense opposite to the abstraction 
step: the first one eliminates every definition x = by using it as the 
rewriting rule x —> i/j, while the latter introduces a new symbol x in the 
place of an expression ^ and asserts x = v/i, where V’ is non-basic in both 
cases. Therefore, elimination should only be applied before abstraction, and 
each of those should be followed by rewriting. 

The Preprocess algorithm is sound because it is composed of sound sub¬ 
steps. It also terminates, meaning that it will always compute a basic normal 
formula, but with a caveat: we have to be careful that Abstract and Elim¬ 
inate do not repeatedly act on the same expression. Eliminate does not 
produce non-basic expressions, but Abstract generates definitions that can 
be processed by Eliminate, reducing them again to the original non-basic ex¬ 
pression. That is the reason for Rewrite to be applied after every application 
of Abstract: the new definitions are rewritten, usually by an extensionality 
expansion rule. In short, termination depends on the existence of extension¬ 
ality rewriting rules for each kind of non-basic expression that Abstract may 
catch. Then, for any TLA + expression there exists an equi-satisfiable basic 
expression in normal form that the algorithm will compute. 
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3.4 Encoding CHOOSE 

The CHOOSE operator is notoriously difficult for automatic provers to rea¬ 
son about. Nevertheless, we can exploit CHOOSE expressions by using the 
axioms that define them. By introducing a definition for CHOOSE x: P(x), 
we obtain the theorem 

(y = CHOOSE x: P(x)) => ((3a;: P(x)) <=$■ P(y)), 

where y is some fresh symbol. This theorem can be conveniently used as 
a rewriting rule after abstraction of CHOOSE expressions, and for CHOOSE 
expressions that occur negatively, in particular, as hypotheses of proof obli¬ 
gations. 

For determinism of choice (axiom (2)), suppose an arbitrary pair of 
CHOOSE expressions 

cp i = CHOOSE x: P(x) and <f >2 = CHOOSE x: Q(x) 

where the free variables of (p\ are x \,..., x n (noted x) and those of <p> 2 are 
2/1 j • • • 1 Vm (noted y). We need to check whether formulas P and Q are 
equivalent for every pair of expressions (f> 1 and (p 2 occurring in a proof obli¬ 
gation. By abstraction of (pi and <p 2 , we obtain the axiomatic definitions 
Vx: /i(x) = CHOOSE x: P(x) and Vy: / 2 (y) = CHOOSE x: Q(x), where fi 
and f 2 are fresh operator symbols of suitable arity. Then, we state the 
extensionality property for the pair and as the axiom 

Vx,y: (Vx: P{x) & Q{x)) =>/i(x) = f 2 { y). 


4 Evaluation 

In order to validate our approach we reproved several test cases that had 
been proved interactively using the previously available tlaps back-end 
provers, namely Zenon, Isabelle/TLA + and the decision procedure for Pres- 
burger arithmetic. We will refer to the combination of those three backends 
as ZIP for short. 

For each benchmark, we compare two dimensions of an interactive proof: 
size and time. We define the size of an interactive proof as the number of 
non-trivial proof obligations generated by the Proof Manager. This number 
is proportional to the number of interactive steps and therefore represents 
the user effort for making TLAPS check the proof. The time is the number of 
seconds required by the Proof Manager to verify those proofs on a standard 
laptop. 
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ZIP 

CVC4 

Z3 

size 


u t 

u t 

Peterson 

3 

- 

0.41 0.46 

0.34 0.40 

Peterson 

10 

5.69 

0.78 0.96 

0.80 0.97 

Bakery 

16 

- 

- 6.57 

- 7.15 

Bakery 

223 

52.74 



Memoir-T 

1 

- 

- 

1.99 1.53 

Memoir-T 

12 

- 

3.11 3.46 

3.21 3.51 

Memoir-T 

424 

7.31 



Memoir-I 

8 

- 

3.84 5.79 

9.35 10.23 

Memoir-I 

61 

8.20 



Memoir-A 

27 

- 

11.31 14.36 

11.46 14.30 

Memoir-A 

126 

19.10 




Finite sets 

ZIP 

Zenon+SMT 

size 


size 

u 

t 

CardZero 

11 

5.42 

5 

0.48 

0.48 

CardPlusOne 

39 

5.35 

3 

0.49 

0.52 

CardOne 

6 

5.36 

1 

0.35 

0.35 

CardOneConv 

9 

0.63 

2 

0.35 

0.36 

FiniteSubset 

62 

7.16 

19 

- 

5.77 

PigeonHole 

42 

7.07 

20 

7.01 

7.22 

CardMinusOne 

11 

5.44 

5 

0.75 

0.73 


Table 1: Evaluation benchmarks results. An entry with the symbol 
means that the solver has reached the timeout without finding the proof for 
at least one of the proof obligations. The backends were executed with a 
timeout of 300 seconds. 

Table 1 presents the results for four case studies: mutual exclusion proofs 
of the Peterson and Bakery algorithms, type-correctness and refinement 
proofs of the Memoir security architecture [8], and proofs of theorems about 
the cardinality of finite sets. We compare how proofs of different sizes are 
handled by the backends. Each line corresponds to an interactive proof of 
a given size. Columns correspond to the running times for a given smt 
solver, where each prover is executed on all generated proof obligations. For 
our tests we have used the state-of-the-art SMT solvers CVC4 vl.3 and Z3 
v4.3.0. For each prover we present two different times corresponding to the 
untyped encoding (the column labeled u) and the optimized encoding using 
the type system with refinement types [16] (labeled t). 
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In all cases, the use of the new backend leads to significant reductions in 
proof sizes and running times compared to the original interactive proofs. In 
particular, the “shallow” proofs of the first three case studies required only 
minimal interaction. We have also used the new SMT backend with good 
success on several proofs not shown here. Both smt solvers offer similar 
results, with Z3 being better at reasoning about arithmetic. In a few cases 
CVC4 is faster or even proves obligations on which Z3 fails. Some proof 
obligations can be proved only by Zenon, in the case of big structural high- 
level formulas, or only using the “typed” encoding, because heavy arithmetic 
reasoning is required. 

5 Conclusions 

We have presented a sound and effective way of discharging TLA + proof 
obligations using automated theorem provers based on many-sorted first- 
order logic. This encoding was implemented in a back-end prover that in¬ 
tegrates external SMT solvers as oracles to the TLA + Proof System tlaps. 
The main component of the backend is a generic translation framework that 
makes available to tlaps any SMT solver that supports the de facto standard 
format smt-lib/auflia. We have also used the same framework for inte¬ 
grating automated theorem provers based on unsorted fol, such as those 
based on the superposition calculus. 

The resulting translation can handle a useful fragment of the TLA + 
language, including set theory, functions, linear arithmetic expressions, and 
the CHOOSE operator (Hilbert’s choice). Encouraging results show that smt 
solvers significantly reduce the effort of interactive reasoning for verifying 
“shallow” TLA + proof obligations, as well as some more involved formulas 
including linear arithmetic expressions. Both the size of the interactive 
proof, which reflects the number of user interactions, and the time required 
to find automatic proofs can be remarkably reduced with the new back-end 
prover. 

The mechanism that combines term-rewriting with abstraction enables 
the backend to successfully handle CHOOSE expressions, tuples, records, and 
TLA + functions (A-abstractions with domains). However, our rewriting 
method may introduce many additional quantifiers, which can be difficult 
for the automated provers to handle. 

The untyped universe of TLA + is represented as a universal sort in 
ms-fol. Purely set-theoretic expressions are mapped to formulas over unin¬ 
terpreted symbols, together with relevant background axioms. The built-in 
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integer sort and arithmetic operators are homomorphically embedded into 
the universal sort, and type inference is in essence delegated to the solver. 
The soundness of the encoding is immediate: all the axioms about sets, func¬ 
tions, records, tuples, etc. are theorems in the background theory of TLA + 
that exist in the Isabelle encoding. The “lifting” axioms for the encoding 
of arithmetic assert that TLA + arithmetic coincides with smt arithmetic 
over integers. For ensuring completeness of our encoding, we would have to 
include the standard axiom of set extensionality in the background theory. 
For efficiency reasons, we include only instances of extensionality for specific 
sets, function domains, and functions. 

The translation presented here forms the basis for further optimizations. 
In [16] we have explored the use of (incomplete) type synthesis for TLA + 
expressions, based on a type system with dependent and refinement types. 
Extensions for reasoning about real arithmetic and finite sequences would 
be useful. More importantly, we rely on the soundness of external provers, 
temporarily including them as part of tlaps’s trusted base. In future work 
we intend to reconstruct within Isabelle/TLA + (along the lines presented 
in [4]) the proof objects that many smt solvers can produce. Such a recon¬ 
struction would have to take into account not only the proofs generated by 
the solvers, but also all the steps performed during the translation, including 
rewriting and abstraction. 
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